According to CNN Money, some customers’ credit and debit card numbers as well as expiration dates were compromised, but the company said there is no evidence that information such as customers’ names or PINs were stolen.

A letter from Michaels CEO confirms the breach occurred between May 8, 2013 and January 27, 2014 and affected about 7 percent of transactions made with cards during that time.

However, not all stores were impacted and a “limited number” of those cards were subsequently used fraudulently, Michales said.

The Michaels subsidiary Aaron Brothers was also hacked.

Information from another 400,000 cards was potentially stolen at the Aaron Brothers stores between June 26, 2013 and February 27, 2014.

“We want you to know we have identified and fully contained the incident, and we can assure you the malware no longer presents a threat to customers while shopping at Michales or Aaron Brothers,” wrote CEO Chuck Rubin in a post on the company’s website.